Summary: Show Notes: https://justinfimlaid.com/not-invented-here-syndrome-for-security<br> <br> <br> <br> Sponsor: https://www.nuharborsecurity.com<br> <br> <br> <br> Contact Me: https://justinfimlaid.com/contact-me/<br> <br> <br> <br> Twitter: @justinfimlaid<br> <br> <br> <br> LinkedIn: https://www.linkedin.com/in/jfimlaid/<br> <br> <br> <br> Have<br> you ever had an idea to advance your company or another companies security<br> posture? And it's a really good<br> idea. Like really good. You do you your homework and dot the<br> "I's" and cross the "T's" and your propose a superior<br> solution that sets your organization up for, what you think, is long term<br> success? When you propose your idea,<br> someone passionately proposes an alternative weaker solution. Or worse, people take shots at your idea<br> trying to make it look like swiss cheese for the apparent purpose of making an<br> alternate idea better?<br> <br> <br> <br> If<br> yes, you might have seen and experienced the "Not Invented Here<br> Syndrome".<br> <br> <br> <br> One of the more concise definitions of Not Invented Here Syndrome (NIHS) I've heard come from Techopedia:<br> <br> <br> <br> "Not invented here syndrome is a mindset or corporate culture that favors internally-developed products over externally-developed products, even when the external solution is superior.<br> <br> <br> <br> NIHS is<br> frequently used in the context of software development, where a programmer will<br> overlook all the attributes of an existing solution simply<br> because it wasn't produced in-house."<br> <br> <br> <br> Another variant<br> to NIHS is the micro variation comes when the security department or CISO is<br> accountable for security but doesn't have responsibility for security. So if you are security professional<br> recommending products/solutions that are always "shot down" by those<br> with budget authority there could be a few reasons and Not Invented Here might<br> be the cause. NIHS can take a couple<br> forms (this list adapted from Techopedia):<br> <br> <br> <br> The other teams don't value the work of others. They have pride in a negative way.They don't understand or unwilling to try to understand the benefits and lack confidence.Fear that their previous ideas aren't valued.Territorial battles, e.g. internal "turf wars".Fear of having to learn something new.Wanting to control the process. Would rather "reinvent the wheel" to maintain control.Jealousy that they didn't think of the idea first.Belief that they can do a better job.The other teams don't value the work of others and believe they can do better. They have pride in a positive way.<br> <br> <br> <br> There's<br> always the counter argument that the Security team always makes sub-tier<br> recommendations and IT rather keeps the proverbial security train on the<br> tracks.<br> <br> <br> <br> Anyway,<br> NIHS is a real thing and can really be barrier to completing an annual<br> plan. For organizations that don't<br> foster innovation NIHS can really be present in the way the company operates<br> day to day. There's some great articles<br> on Not Invented Here and how some of the worlds longest standing companies<br> foster innovation and work with external ideas to make their business grow.<br> <br> <br> <br> Some interesting links you might check out...<br> <br> <br> <br> https://hbswk.hbs.edu/item/the-benefits-of-not-invented-here<br> <br> <br> <br> https://www.forbes.com/sites/haroldsirkin/2017/03/09/not-invented-here-not-at-the-most-innovative-companies/#1d85172c1e35
